refresh
@PostMapping(value = "/refresh"
Refresh the access token. In plain words: - The browser sends a DPoP proof and the refresh cookie (sent automatically with credentials). - We verify both, rotate the refresh cookie (so an old one can’t be reused), and return a new access token. - If anything is suspicious (missing/used cookie, mismatched key), we revoke the session. Headers: - DPoP (required) Cookie (sent automatically): - __Host-rt